@vgaetera : thanks for your replies!
The webserver is running on UNIX, not Windows. No firewall on that host is blocking packets. I have indeed already used "tcpdump" on that webserver to confirm that no such packets are arriving on its interfaces.
You say that I don't need this "config rule" block in the /etc/config/firewall, but that config has been generated from my settings in the LUCI web interface in its tab "Port forwards".
Do you mean that I shall not configure the port forwarding in that particular tab of LUCI ? What is then the correct part of the LUCI web interface to configure port forwarding ?
You write also that the "source_dip" and "dest_port" parts of that "config rule" block are redundant. What exactly do you mean with that, since also these lines (just like the entire config file) have been generated from the LUCI web interface as per my port forwardings.
I am not 100% sure about necessity to specify the "source_dip", but in any case the "dest_port" looks essential to me to state explicitly to which internal (= on my webserver) destination port the forwarding of the original (= as what arrived from the web onto my firewall) destination port must be done. Or am I missing something in the definitions of the fill-in boxes of the LUCI web interface?
uci show network:
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd91:aec4:7bce::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.ipaddr='10.50.0.3'
network.lan.netmask='255.255.255.0'
network.lan.dns='10.50.0.28'
network.WAN=interface
network.WAN.ifname='eth1'
network.WAN.proto='static'
network.WAN.ipaddr='192.168.0.10'
network.WAN.netmask='255.255.255.0'
network.WAN.gateway='192.168.0.1'
network.WAN.broadcast='192.168.0.255'
ip a :
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP qlen 1000
link/ether b8:27:eb:61:57:77 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
link/ether 58:d5:6e:3e:19:b5 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.10/24 brd 192.168.0.255 scope global eth1
valid_lft forever preferred_lft forever
inet6 fe80::5ad5:6eff:fe3e:19b5/64 scope link
valid_lft forever preferred_lft forever
4: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether b8:27:eb:61:57:77 brd ff:ff:ff:ff:ff:ff
inet 10.50.0.3/24 brd 10.50.0.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe61:5777/64 scope link
valid_lft forever preferred_lft forever
ip r :
default via 192.168.0.1 dev eth1
10.50.0.0/24 dev br-lan scope link src 10.50.0.3
192.168.0.0/24 dev eth1 scope link src 192.168.0.10
ip ru :
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
iptables-save :
# Generated by iptables-save v1.6.2 on Thu Feb 28 18:55:42 2019
*nat
:PREROUTING ACCEPT [63034:22094061]
:INPUT ACCEPT [2881:471422]
:OUTPUT ACCEPT [53:3999]
:POSTROUTING ACCEPT [5:351]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_postrouting -s 10.50.0.0/24 -d 10.50.0.14/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web (reflection)" -j SNAT --to-source 10.50.0.3
-A zone_lan_postrouting -s 10.50.0.0/24 -d 10.50.0.14/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs (reflection)" -j SNAT --to-source 10.50.0.3
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -s 10.50.0.0/24 -d 192.168.0.10/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web (reflection)" -j DNAT --to-destination 10.50.0.14:80
-A zone_lan_prerouting -s 10.50.0.0/24 -d 192.168.0.10/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs (reflection)" -j DNAT --to-destination 10.50.0.14:443
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -d 192.168.0.10/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: web" -j DNAT --to-destination 10.50.0.14:80
-A zone_wan_prerouting -d 192.168.0.10/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: webs" -j DNAT --to-destination 10.50.0.14:443
COMMIT
# Completed on Thu Feb 28 18:55:42 2019
# Generated by iptables-save v1.6.2 on Thu Feb 28 18:55:42 2019
*mangle
:PREROUTING ACCEPT [27895068:18456194704]
:INPUT ACCEPT [282696:28911080]
:FORWARD ACCEPT [27479825:18388144463]
:OUTPUT ACCEPT [279876:27588003]
:POSTROUTING ACCEPT [27759701:18415732466]
COMMIT
# Completed on Thu Feb 28 18:55:42 2019
# Generated by iptables-save v1.6.2 on Thu Feb 28 18:55:42 2019
*filter
:INPUT ACCEPT [2888:179628]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [63:4308]
:forwarding_lan_rule - [0:0]
:forwarding_log_chain - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG SYN -j LOG --log-prefix "HTTP-SYN:"
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -j LOG --log-prefix "HTTP-ACK-FIN:"
-A forwarding_log_chain -p tcp -m tcp --dport 80:443 -j LOG --log-prefix "HTTP-DPRT-ALL:"
-A forwarding_rule -j forwarding_log_chain
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -p tcp -m comment --comment "!fw3: Allow-all-outgoing" -j ACCEPT
-A zone_lan_forward -p udp -m comment --comment "!fw3: Allow-all-outgoing" -j ACCEPT
-A zone_lan_forward -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-all-out-PING" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: Zone wan to lan forwarding policy" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
COMMIT
# Completed on Thu Feb 28 18:55:42 2019